Pages

Wednesday, October 23, 2013

VRF Route Leaking from Global Routing Table

This blogtorial is in response to one of my reader's question "How do I use internet with VRF?". In this blogtorial we will see how we can leak routes between a VRF and the global routing table. In my opinion, route leaking between two VRFs is so much easier and straightforward than leaking between VRFs and the global routing table. However, in any case, let's get started and see one of 2 ways (perhaps there are more ways?) to leak routes between a VRF and the global routing table.

Here is the topology -- let's get started.


Entire config can be downloaded here.
First let's start with R1 and configure interfaces and BGP.

 R1#  
 !  
 interface Loopback1  
  ip address 10.10.10.1 255.255.255.255  
 !  
 interface FastEthernet1/0  
  description connected to r2  
  ip address 1.1.1.1 255.255.255.0  
  duplex auto  
  speed auto  
 !  
 router bgp 1  
  no synchronization  
  bgp log-neighbor-changes  
  network 10.10.10.1 mask 255.255.255.255  
  neighbor 1.1.1.2 remote-as 2  
  neighbor 1.1.1.2 soft-reconfiguration inbound  
  no auto-summary  
 !  

Simple really ...
  • Just configure an IP on the interface.
  • Configure BGP with the neighbor statement.
  • Get the loopback in the BGP table using the network statement.
  • soft-reconfiguration inbound just in-case we need to clear bgp for anything :) 
Now moving on to R2 which is where the real magic happens. I also found that the order in which I typed the commands mattered. For example the "import ipv4 unicast" command had to be typed last. I am not sure if this was bug with the version of IOS (12.4 on 7200).

See comments in line for explanation.  

 R2#  
 !  
 !!<-- Configure interface facing the internet router -->!!
 interface FastEthernet1/0  
  description connected to r1 / internet  
  ip address 1.1.1.2 255.255.255.0  
  duplex auto  
  speed auto  
 !
 !!<-- Need static routes in the global table to be redistributed into BGP -->!!  
 ip route 3.3.3.3 255.255.255.255 FastEthernet1/1
 ip route 192.168.1.0 255.255.255.0 FastEthernet1/1  
 !  
 !!<-- Define the VRF and associate 'route-distinguishers and route-targets' -->!!
 ip vrf RED  
  rd 2:1  
  route-target export 2:1  
  route-target import 2:1  
 !  
 !!<-- Configure the interface facing R3 and assign it to VRF RED -->!!
 interface FastEthernet1/1  
  ip vrf forwarding RED  
  ip address 192.168.1.2 255.255.255.0  
  duplex auto  
  speed auto  
 !  
 !!<-- Configure OSPF on VRF RED so that we may learn about R3 loopback dynamically -->!!
 !!<-- We will also redistribute BGP 2 table so that R3 can learn about the global routing table -->!! 
 router ospf 1 vrf RED  
  log-adjacency-changes  
  redistribute bgp 2 subnets  
  network 192.168.1.0 0.0.0.255 area 0  
 !  
 !!<-- Create an empty route-map permitting everything -->!!
 route-map everything-from-global permit 10  
 !  
 ip vrf RED  
 !!<-- Attach the route-map to the "import" statement so that VRF RED can see the 
       BGP learned routes -->!!
  import ipv4 unicast 10000 map everything-from-global  
 !  

So this "import ipv4" command is a little misleading. It should really be "import bgp ipv4" because it does not import the main routing table, it only imports routes that are in the BGP table. So when you do a "show ip bgp" and if a route that you want to import into VRF is not in the bgp table it will not be imported into the VRF routing table.

Well anyways moving on from that side note, let's configure R3 and verify reach-ability.

 R3#  
 !  
 interface Loopback1  
  ip address 3.3.3.3 255.255.255.255  
 !  
 interface FastEthernet1/1  
  description connectedt to r2  
  ip address 192.168.1.3 255.255.255.0  
  duplex auto  
  speed auto  
 !  
 router ospf 1  
  log-adjacency-changes  
  network 3.3.3.3 0.0.0.0 area 0  
  network 192.168.1.0 0.0.0.255 area 0  
 !  

Now let's verify that R1 loopback can ping R3 loopback.

 R1#ping 3.3.3.3 source 10.10.10.1 
 Type escape sequence to abort.  
 Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:  
 Packet sent with a source address of 10.10.10.1  
 !!!!!  
 Success rate is 100 percent (5/5), round-trip min/avg/max = 28/52/84 ms  

Let's do a few show commands to see what the routing table and everything else looks like.

 R1#show ip bgp  
 BGP table version is 6, local router ID is 10.10.10.1  
 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,  
        r RIB-failure, S Stale  
 Origin codes: i - IGP, e - EGP, ? - incomplete  
   Network     Next Hop      Metric LocPrf Weight Path  
 r> 1.1.1.0/24    1.1.1.2         0       0 2 ?  
 *> 3.3.3.3/32    1.1.1.2         0       0 2 ?  
 *> 10.10.10.1/32  0.0.0.0         0     32768 i  
 *> 192.168.1.0   1.1.1.2         0       0 2 ?  
 R1#sh ip route  
 Gateway of last resort is not set  
    1.0.0.0/24 is subnetted, 1 subnets  
 C    1.1.1.0 is directly connected, FastEthernet1/0  
    3.0.0.0/32 is subnetted, 1 subnets  
 B    3.3.3.3 [20/0] via 1.1.1.2, 00:04:09  
    10.0.0.0/32 is subnetted, 1 subnets  
 C    10.10.10.1 is directly connected, Loopback1  
 B  192.168.1.0/24 [20/0] via 1.1.1.2, 00:17:00  

 R2#sh ip bgp  
 BGP table version is 5, local router ID is 1.1.1.2  
 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,  
        r RIB-failure, S Stale  
 Origin codes: i - IGP, e - EGP, ? - incomplete  
   Network     Next Hop      Metric LocPrf Weight Path  
 *> 1.1.1.0/24    0.0.0.0         0     32768 ?  
 *> 3.3.3.3/32    0.0.0.0         0     32768 ?  
 *> 10.10.10.1/32  1.1.1.1         0       0 1 i  
 *> 192.168.1.0   0.0.0.0         0     32768 ?  

 R2#sh ip bgp vpnv4 all  
 BGP table version is 6, local router ID is 1.1.1.2  
 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,  
        r RIB-failure, S Stale  
 Origin codes: i - IGP, e - EGP, ? - incomplete  
   Network     Next Hop      Metric LocPrf Weight Path  
 Route Distinguisher: 2:1 (default for vrf RED)  
 Import Map: everything-from-global, Address-Family: IPv4 Unicast, Pfx Count/Limit: 4/10000  
 *> 1.1.1.0/24    0.0.0.0         0     32768 ?  
 *> 3.3.3.3/32    0.0.0.0         0     32768 ?  
 *> 10.10.10.1/32  1.1.1.1         0       0 1 i  
 r> 192.168.1.0   0.0.0.0         0     32768 ?  
 R2#sho ip route vrf RED  
 Routing Table: RED  
 Gateway of last resort is not set  
    1.0.0.0/24 is subnetted, 1 subnets  
 B    1.1.1.0 is directly connected, 00:17:01, FastEthernet1/0  
    3.0.0.0/32 is subnetted, 1 subnets  
 B    3.3.3.3 is directly connected, 00:05:21, FastEthernet1/1  
    10.0.0.0/32 is subnetted, 1 subnets  
 B    10.10.10.1 [20/0] via 1.1.1.1, 00:17:01  
 C  192.168.1.0/24 is directly connected, FastEthernet1/1  
 R2#show ip ospf database  
       OSPF Router with ID (192.168.1.2) (Process ID 1)  
         Router Link States (Area 0)  
 Link ID     ADV Router   Age     Seq#    Checksum Link count  
 192.168.1.2   192.168.1.2   1111    0x80000002 0x000E6E 1  
 192.168.1.3   192.168.1.3   363     0x80000003 0x002B33 2  
         Net Link States (Area 0)  
 Link ID     ADV Router   Age     Seq#    Checksum  
 192.168.1.3   192.168.1.3   1111    0x80000001 0x00AADA  
         Type-5 AS External Link States  
 Link ID     ADV Router   Age     Seq#    Checksum Tag  
 1.1.1.0     192.168.1.2   1025    0x80000001 0x00462B 3489660930  
 3.3.3.3     192.168.1.2   326     0x80000001 0x00DF88 3489660930  
 10.10.10.1   192.168.1.2   1025    0x80000001 0x00F65E 3489660930  

 R3#sh ip route  
 Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP  
     D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area  
     N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2  
     E1 - OSPF external type 1, E2 - OSPF external type 2  
     i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2  
     ia - IS-IS inter area, * - candidate default, U - per-user static route  
     o - ODR, P - periodic downloaded static route  
 Gateway of last resort is not set  
    1.0.0.0/24 is subnetted, 1 subnets  
 O E2  1.1.1.0 [110/1] via 192.168.1.2, 00:17:52, FastEthernet1/1  
    3.0.0.0/32 is subnetted, 1 subnets  
 C    3.3.3.3 is directly connected, Loopback1  
    10.0.0.0/32 is subnetted, 1 subnets  
 O E2  10.10.10.1 [110/1] via 192.168.1.2, 00:17:52, FastEthernet1/1  
 C  192.168.1.0/24 is directly connected, FastEthernet1/1  
 R3#sh ip ospf database  
       OSPF Router with ID (192.168.1.3) (Process ID 1)  
         Router Link States (Area 0) 
 Link ID     ADV Router   Age     Seq#    Checksum Link count  
 192.168.1.2   192.168.1.2   1163    0x80000002 0x000E6E 1  
 192.168.1.3   192.168.1.3   413     0x80000003 0x002B33 2  
         Net Link States (Area 0)  
 Link ID     ADV Router   Age     Seq#    Checksum  
 192.168.1.3   192.168.1.3   1161    0x80000001 0x00AADA  
         Type-5 AS External Link States  
 Link ID     ADV Router   Age     Seq#    Checksum Tag  
 1.1.1.0     192.168.1.2   1077    0x80000001 0x00462B 3489660930  
 3.3.3.3     192.168.1.2   377     0x80000001 0x00DF88 3489660930  
 10.10.10.1   192.168.1.2   1077    0x80000001 0x00F65E 3489660930  

There you have it -- one of two ways to leak between a VRF and the global routing table.

Stay tuned as I will post the 2nd way on how you can get this to work.

Please reshare/subscribe/comment/+1 if you like my posts as it keeps me motivated to write more and spread the knowledge.

"Learning is the key ... not motivation ... you have an idiot and you get him motivated now you have a motivated idiot running around ..."

2 comments:

  1. Can you use EIGRP instead of BGP?

    ReplyDelete
  2. I do not believe it is possible. However it might work differently on other platforms.

    ReplyDelete